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PREFACE 


The  work  described  in  this  report  was  performed  in  the  context 
of  an  overall  program  at  the  Transportation  Systems  Center  to 
evaluate  anticipatory  crash  sensor  concepts  as  applied  to  activa- 
tion of  automobile  passive  restraint  systems.  This  report  speci- 
fically examines  the  design  and  reliability  of  the  signal  processor 
associated  with  a radar  sensor.  The  program  is  sponsored  by  the 
National  Highway  Traffic  Safety  Administration,  Office  of  Vehicle 
Structures  Research,  Department  of  Transportation.  This  program 
supports  Government  activities  designed  to  promote  greater  safety 
on  the  nations  highways  and  reduce  injury  and  fatalities  in  traffic 
accidents . 

We  are  grateful  for  the  assistance  provided  by  the  Defense, 
Space,  and  Special  Systems  Group  of  the  Burroughs  Corporation, 
Paoli,  Pennsylvania,  who  conducted  the  signal  processor  design  and 
reliability  studies. 


CONTENTS 


Section  ^a§e 

1 INTRODUCTION  1 

Purpose  1 

Basic  Approach 1 

2 FUNCTIONAL  REQUIREMENTS  3 

General  • 3 

Triggering  Criteria . 3 

System  Functional  Organization  4 

Failure  Modes  7 

3 DESIGN  APPROACH  8 

Technology  Selection  . 8 

Bipolar  Driver  8 

MOS  Processor  9 

Circuit  Techniques  Selection  9 

Digital  Circuits  9 

Analog  Circuits  15 

Processor  Design  17 

Basic  System 17 

Logic 19 

Special  Circuits  22 

Self-Test  Processor  24 

Purpose  and  Approach . 24 

Self-Test  Functions  27 

Test  Program 30 

4 RELIABILITY-COST  ANALYSIS  34 

Approach  34 

Summary  0 35 

Determination  of  Basic  Failure  Rates  40 

P-MOS  Failure  Rate  Model 40 

Basic  Circuitry  Failure  Rate  Prediction  41 

Basic  Circuitry  with  Self-Check  Test 

Circuit  Failure  Rate  Prediction . 44 

Bipolar  High  Power  (Current)  Switch  

Failure  Rate  Prediction.  45 

Bipolar  Zener  Diode  Clamp  Prediction  ...  45 


CONTENTS  (Cont) 


Section  Page 

Failure  Mode  and  Effects  Analysis  (FMEA) 46 

Functional  Area  and  Failure 

Classification  Apportionment  47 

Qualitative  Analysis  51 

Reliability  and  Cost  Analysis  57 

5 REPORT  SUMMARY 65 

Overall  Design  Plan 65 

Redundant  Circuitry  Cost/Effectiveness  65 

Self-Testing  66 

Costs  66 

Failure  Rate  Prediction  66 

Appendix 

A Failure  Mode  and  Effect  Analysis  (FMEA)  Tables 

B Report  of  Inventions 


LIST  OF  ILLUSTRATIONS 


Figure  Page 

2-1.  Triggering  Criteria 5 

2- 2.  System  Functional  Organization 6 

3- 1.  Basic  Gate  Circuits 11 

3-2.  Complex  NOR  Gate 12 

3-3.  Unit  Delay 13 

3-4.  Dynamic  Flip-Flops 14 

3-5.  Voltage  Regulator  Implementation 16 

3-6.  Power  Supply  Turn-On  Sensing  Implementation 16 

3-7.  Processor  System 18 

3-8.  Processor  State  Flow  Diagram 20 

3-9.  MOS  Analog  Channel 23 

3-10.  Oscillator  and  Clock  Driver 25 

3-11.  Power  Turn-On  Detector 26 

3-12.  Self  Test  Functions 28 

3- 13.  Self  Test  Program 31 

4- 1.  Basic  System 36 

4-2.  Redundant  MOS 36 

4-3.  Redundant  MOS  and  Bipolar 36 

4-4.  MOS/Bipolar  Redundant 36 

4-5.  Voting  MOS  Only 37 

4-6.  Voting  MOS  and  Redundant  Bipolar 37 

4-7.  Voting  MOS/Bipolar 37 


vi 


LIST  OF  TABLES 


Table  Page 

4-1.  SYSTEM  CONFIGURATION  RELIABILITY  AND  COST  (NO  REPAIR) 38 

4-2.  PREDICTED  RELIABILITY  (WITHOUT  AND  WITH  REPAIR) 

(CONFIGURATION  4-4)  39 

4-3.  FAILURE  RATE  BY  FAILURE  CLASSIFICATION  (BASIC  DESIGN 

CONFIGURATION)  39 

4-4.  SYSTEM  FAILURE  RATE  APPORTIONED  BY  FUNCTIONAL  AREA 48 

4-5.  PRIORITY  LIST  OF  CRITICALITY 53 

4-6.  BASIC  SYSTEM  FAILURE  RATES  BY  CLASSIFICATION 58 

4-7.  FAILURE  RATES  AND  WRIGHT  FACTORS  FOR  BASIC  BUILDING  BLOCKS 

( X = F/ 10°  Hrs.  ) 61 


vii 


SECTION  1 . INTRODUCTION 


PURPOSE 

This  report  covers  the  primary  efforts  of  Contract  DOT-TSC-409,  encompassing 
a 60-day  effort  for  high  reliability  design  and  failure  rate  prediction  of  a 
monolithic  Crash-Sensor  Signal  Processor  MOS  LSIC  and  Bipolar  driver. 

An  optimum  cost  vs.  reliability  basic  approach  that  included  technology,  cir- 

\ 

cuit  techniques  and  circuit-logic  design  was  established.  This  design  was 
evaluated  for  quantitative  reliability  characteristics  including  a detailed 
failure  modes  and  effects  analysis. 

A variety  of  significant  self-testing  redundant  and  voting  configurations  were 
defined  and  tabulated  for  cost  vs.  reliability  effectiveness.  The  results 
fully  demonstrate  that  very  low  cost  (<$10)  and  very  high  reliability 
(>  .999  per  year)  can  be  achieved  concurrently  by  monolithic  techniques  without 
compromising  processor  performance. 

A breadboard  version  of  the  basic  signal  processor  circuit  was  also  established 
and  three  deliverable  assemblies  have  been  fabricated. 

BASIC  APPROACH 

The  advanced  status  of  solid  state  large  scale  integrated  circuit  technology  forms 
a totally  appropriate  and  flexible  basis  for  an  optimum  hardware  realization  of 
the  Automobile  Crash-Sensor  Signal  Processor. 

The  required  analog  input  and  digital  logic  processing  functions  can  be  imple- 
mented on  a single  medium-size  MOS  chip  and  combined  with  a Bipolar  power  driver 
circuit  within  a hermetic  IC  package.  As  a result,  the  Crash-Sensor  Signal 
Processor  circuit  is  basically  compatible  with  very  low  cost,  very  high  relia- 
bility hardware  techniques.  Furthermore,  additional  functions  (e.g.,  self  test), 
redundant  chips  and  voting  configurations  are  all  attainable  within  the  basic 
price  vs.  complexity  guideline  (<$10). 
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Subsequent  design  approach  discussions  will  show  that  a series  of  logical 
choices  can  be  made  to  fundamentally  establish  an  optimum  cost  vs.  reliability 
monolithic  approach  and  that  intrinsic  low  cost  and  high  reliability  are 
"built  in"  throughout  the  design  procedure.  Reliability  predictions  and  failure 
modes  and  effects  analysis  will  then  substantiate  the  design  results. 


SECTION  2 

FUNCTIONAL  REQUIREMENTS 

GENERAL 

The  Automobile  Crash-Sensor  Signal  Processor  performs  the  function  of  rendering  a 
restraint  deployment  decision  on  the  basis  of  input  data  from  a doppler  radar  and 
impact  switch  sources.  The  objective  of  the  specified  processing  is  the  anticipa- 
tion of  imminent  collision  in  sufficient  time  to  permit  restraint  deployment,  while 
maintaining  maximum  practical  protection  against  deployment  under  non-crash  con- 
ditions . 

In  order  to  achieve  this  objective,  the  processor  must  evaluate  the  relative  velocity 
of  approach  of  a radar-detected  object  and  extract  the  maximum  possible  conforming 
information  within  the  limits  imposed  by  the  lead-time  requirement.  In  the 
particular  case  of  a low  approach  velocity,  it  is  practical  and  desirable  to  delay 
the  deploy  decision  until  conf irmation  is  obtained  from,  a mechanical  switch  which  is 
activated  by  the  initial  phases  of  the  impact.  At  higher  velocities,  however,  de- 
ployment must  be  initiated  prior  to  the  start  of  inpact,  and  the  deployment  decision 
must  be  made  on  radar  information  alone.  In  this  case,  the  processor  must  verify  that 
the  radar  signal  has  the  proper  characteristics  and  must  provide  the  deployment  signal 
with  proper  degree  of  lead  time. 

Although  self-checking  and  failure  indication  are  not  specific  operational  require- 
ments, such  provisions  are  essential  if  the  required  degree  of  reliability  is  to  be 
achieved  at  low  cost* 

Triggering  Criteria 

The  doppler  radar  (X-band)  provides  a nominally  sinusoidal  output  voltage  of  a 
frequency  proportional  to  the  approach  velocity.  The  constant  of  proportionality  is 
30.1  Hz/mph.  Thus,  a 10  mile  per  hour  approach  yields  a doppler  frequency  of  301  Hz. 
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A legitimate  radar  return  produces  a minimum  amplitude  of  20  millivolts,  peak-to- 
peak.  No  triggering  is  allowable  for  signals  of  less  than  18  millivolts,  and 
triggering  must  occur  at  22  millivolts,  provided  other  criteria  are  met. 

Signals  below  18  millivolts  constitute  Case  I,  for  which  no  triggering  is  permitted. 

The  other  processing  regimes  involve  signal  amplitudes  greater  than  this  threshold  and 
are  defined  below: 

Case  II.  Signal  frequency  less  than  500  ± 20  Hz  or  greater  than  5000  ± 100 
Hz  (closing  speed  is  less  than  17  or  greater  than  166  mph):  ho  triggering 
under  any  circumstances. 

Case  III.  Signal  frequency  greater  than  500  ± 20  Hz  but  less  than  1000  ± 20 
Hz  (closing  speed  is  between  17  and  33  mph):  Triggering  is  within  two 
milliseconds  of  the  impact  signal  provided  that  N cycles  of  the  radar  signal 
have  occurred  within  150  milliseconds  prior  to  the  impact  signal.  N is  to 
be  a fixed  number  not  less  than  8 nor  exceeding  20. 

Case  IV.  Signal  frequency  is  1000  ± 20  Hz  to  3000  ± 100  Hz  (closing  speed  is 
33  to  100  mph):  Triggering  within  5 milliseconds  after  N*  cycles  of  signal 
occur;  N*  is  a fixed  nhmber  not  exceeding  20  nor  less  than  8 but  not 
necessarily  equal  to  N. 

Case  V.  Signal  frequency  is  3000  to  5000  Hz  (±  100  Hz)  (closing  speed  is 
between  100  to  170  mph):  Triggering  is  allowable  for  more  than  8 cycles 

received,  but  triggering  is  not  mandatory. 

The  above  triggering  criteria  are  depicted  graphically  in  Figure  2-1. 

System  Functional  Organization 

Although  a purely  analog  (i.e.,  filter/detector)  approach  to  the  processing  is  r'-- 
feasible,  the  stated  criteria  are  manifestly  compatible  with  a digital  system  design. 

The  approach  described  in  this  report  is  a digital  one,  and  the  following  system 
organization  description  is  therefore  couched  in  digital  terms. 

Figure  2-2  depicts  the  system  organization.  The  radar  signal  is  amplified  and  digitized 
in  such  a manner  that  one  pulse  is  produced  for  each  cycle  which  exceeds  the  action 
threshold  (20  millivolts,  peak- to-peak,  at  the  input).  The  incoming  pulse  rate  is  com- 
pared with  the  reference  clock  oscillator,  and  the  frequency  regime  is  thereby 
established.  The  latter  operation  controls  the  selection  of  the  triggering  mode,  so 
that  appropriate  count  accumulations  must  be  achieved  before  deployment. 
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Figure  2-2.  System  Functional  Organization 


If  a Case  III  situation  is  established,  additional  criteria  must  be  met.  Thus, 
deployment  occurs  only  if  the  count  reaches  N and  the  impact  switch  confirmation  is 
received  before  expiration  of  the  150-millisecond  timing  window. 

Failure  Modes 

Inasmuch  as  the  consequences  of  a system  malfunction  may  vary  greatly,  depending  on 
the  exact  nature  of  the  defect,  it  is  necessary  to  classify  failure  modes  and  to 
separately  examine  the  corresponding  failure  probabilities  before  making  an  overall 
reliability  or  cost-effectiveness  judgement.  Four  primary  failure  modes  are  defined 
as  follows: 

a.  Triggering  occurs  with  no  signal,  or  with  a signal  below  the  50  percent 
of  specified  amplitude  or  cycle  count,  or  more  than  50  percent  outside 
of  the  frequency  limits. 

b.  Triggering  with  the  above  parameters  at  over  50  percent  but  less  than 
100  percent  of  the  specified  values. 

c.  Inability  to  trigger  with  a signal  amplitude  or  cycle  count  greater  than 
the  threshold,  but  less  than  1.5  times  the  threshold;  or  with  a 
frequency  inside  the  passband  and  removed  from  its  limits  by  a factor  of 

1.5. 

d.  Inability  to  trigger  wherein  the  above  factor  is  1.5  or  greater  (including 
the  totally  inoperative  case). 

The  relative  weighting  of  each  failure  mode,  and  the  effects  of  self-checking  on  the 
individual  reliability  figures,  are  fully  discussed  in  section  4 of  this  report. 
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SECTION  3.  DESIGN  APPROACH 


TECHNOLOGY  SELECTION 
Bipolar  Driver 

The  Crash  Sensor  Signal  Processor  Circuit  must  provide  direct  drive  for  a re- 
straint deploy  solenoid  or  for  an  equivalent  electromechanical  device.  This 
requirement  involves  output  pulse  currents  on  the  order  of  ten  amperes  and 
inductive  "kick"  voltages  on  the  order  of  100  volts. 

MOS  devices  are  totally  unsuited  to  these  driver  conditions,  being  practically 
limited  to  peak  currents  on  the  order  of  ten  milliamperes  and  breakdown  volt- 
ages on  the  order  of  30  volts.  Consequently,  a circuit/ techno logy  partitioning 
is  directly  established  where  the  low  power  logic  deploy  signal  pulse  is  de- 
rived in  the  MOS  processor  LSIC  chip  and  activates  a high  current  Bipolar 
Driver  small  scale  integrated  circuit  chip. 

Although  the  peak  current  and  low  ON  resistance  requirements  (<0.5  ohm)  of  the 
output  switch  imply  large  geometry  devices,  energy  dissipation  under  pulse 
conditions  is  only  about  0.1  watt-second  at  essentially  zero  duty  cycle.  Con- 
sequently no  significant  thermal  rise  is  involved  and  the  two  chips  (MOS  and 
Bipolar)  can  be  combined  in  one  standard  IC  package. 

The  speed  (tr  = 1 ms),  saturation  (rQn  < 0.50),  breakdown  voltage  (=  100V)  and 
power  dissipation  conditions  are  all  consistent  with  relatively  simple  double- 
diffusion processing  of  the  required  power  switches,  resistors,  protection 
diodes  and  a Zener  clamp. 
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MOS  Processor 


The  immediate  choice  of  an  MOS  approach  for  the  Processor  primary  technology  is 
based  on  the  widely  proven  fact  that  MOS  IC's  are  intrinsically  less  expensive 
and  more  reliable  than  Bipolar  IC's,  and  that  all  the  Crash-Sensor  Processor 
functional  and  performance  requirements  and  circuit/device  characteristics  are 
comfortably  within  established  MOS  capabilities. 

The  further  choice  of  P-MOS,  as  opposed  to  C-MOS  or  N-MOS,  is  based  on  the 
following  additional  factors. 

1.  P-MOS  technology  is  the  most  established,  best  under- 
stood, best  controlled,  most  widely  used,  least  critical, 
least  expensive,  and  requires  the  fewest  processing  steps 
of  the  available  MOS  technologies. 

2.  The  voltage  levels,  current  allowances,  frequency  require- 
ments and  complexity  of  the  Crash-Sensor  Processor  are 
completely  compatible  with  high  yield  P-MOS  techniques, 
especially  ion-implant  for  low  voltage,  single  supply 
operation. 


Ion-implant  is  applicable  to  all  MOS  technologies  as  a means  to  obtain  lower 
device  threshold  voltages,  depletion  mode  current  sources,  tailored  device 
threshold  voltages,  self -aligned  gates,  and  high  impedance  resistors.  Diffu- 
sionless wafer  processing  is  also  practical  and  being  initiated.  This  additional 
technology/process  feature  is  also  selected  for  the  most  efficient  realization 
of  the  Crash -Sensor  Processor  analog  and  digital  functions. 


CIRCUIT  TECHNIQUES  SELECTION 
Digital  Circuits 

In  addition  to  technology/process  selection,  specific  digital  circuit/logic 
design  requires  selection  from  several  possible  circuit  techniques. 

The  two  major  categories  of  circuits  are  static  (dc)  and  dynamic  (ac)  . Dynamic 
logic  is  significantly  more  efficient  than  static  logic  because  of  the  ability 
to  utilize  intrinsic  capacity  charge-storage  for  delay  functions.  On  this  basis, 
two-phase  dynamic  logic  has  also  been  selected  for  the  Crash-Sensor  Processor. 
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Gate  Circuits 


The  dynamic  MOS  form  of  the  basic  inverter,  NOR  and  NAND  circuits  is  shown 
in  Figure  3-1.  A high  resistance  load  (pull-up)  device  and  a lower  resistance 
input  switch(es)  are  common  all  configurations.  The  switch-load  resistance 
ratio  assures  a sufficiently  L • zero  level  when  the  input  switch  is  ON.  The 
load  device  is  also  switched  by  0i  or  02  °f  the  circuit  clock  so  that  conduc- 
tion (ONE  output)  can  occur  only  in  the  proper  phase  relation  with  associated 
circuits. 

Figure  3-2  shows  the  manner  in  which  complex  gating  functions  can  be  realized 
under  a single  node  (load  device)  with  minimum  device  count.  Note  that  with 
this  type  of  circuit  capability,  device  count  is  one  load  device  plus  one  switch 
for  each  input  (9).  Similar  complex  structures  can  be  realized  with  NAND 
(series)  outputs  although  the  example  shown  is  a NOR  (parallel)  output. 

Storage  Circuits 

Figure  3-3  illustrates  the  basic  charge-storage  delay  function  utilized  in 
dynamic  logic  via  a unit  delay  circuit.  The  capacity  utilized  is  intrinsic 
distributed  capacity  associated  with  interconnects  (=  0.2  pF)  loaded  only  by 
the  MOS  gates  (>  10^2  ohm).  An  additional  device  feature  is  the  inclusion  of 
non-critical  series  swi tches  which  serve  to  isolate  the  stored-charge  at  gates 
on  out-of-phase  clock  periods. 

The  unit  delay  circuit  shown  is  also  the  basis  of  a single  shift  register 
stage  where  the  use  of  capacitor  charge-storage  results  in  less  than  one-third 
the  device  count  that  would  be  required  with  a d-c  master-slave  flip-flop  im- 
plementation . 


Figure  3-4  shows  the  three  dynamic  flip-flop  configurations  used  in  the  Pro- 
cessor circuit  design  and  evaluation.  The  sample  and  hold  flip-flop  is 
used  for  storage  registers  and  pulse-to-level  conversion.  The  J-K  flip-flop 
is  optimum  for  program  and  control  functions.  The  toggle  flip-flop  is  a spe- 
cial case  J-K  which  sets  on  the  input  fall  instead  of  the  input  rise  and 
finds  use  in  timing  counter  or  accumulator  functions. 
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Figure  3-1.  Basic  Gate  Circuits 
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Figure  3-2.  Complex  NOR  Gate 
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Figure  3-A.  Dynamic  Flip-Flops 


Analog  Circuits 


MOS  Analog  Techniques 

The  processing  of  analog  signals  with  P-MOS  devices  requires  the  exploitation 
of  circuit  techniques  which  differ  from  those  used  in  more  conventional  Bi- 
polar amplifiers.  In  particular,  complementary  devices  are  not  available  so 
that  voltage  level  translation  problems  occur  between  d-c  stages.  On  the 
other  hand,  the  virtually  infinite  input  impedance  of  the  MOS  devices  signif- 
icantly simplifies  interstage  a-c  coupling. 

The  key  to  optimum  design  of  the  required  analog  functions  exists  in  utilization 
of  ion-implant  device  threshold  adjustment  flexibilities.  Depletion  mode  de- 
vices provide  fairly  ideal  current  sources  for  load  (pull-up)  elements,  dif- 
ferential stage  source  current(s)  and  regulator  supply  current.  The  primary 
d-c  interstage  voltage  translation  problem  from  a differential  stage  to  a 
grounded-source  stage  is  practically  solved  by  setting  the  differential  stage 
active  devices  to  a relatively  low  threshold  (=  2V)  and  leaving  the  grounded- 
source  device  at  a fairly  high  threshold  (-4  V).  Additional  device  geometry 
control  permits  adjustment  of  depletion  mode  drain  current. 

Very  high  value  (>  1 megohm),  loose-tolerance  resistors  can  be  achieved  by 
pinching  P-region  resistors  with  a control  gate.  Fairly  close  tolerance  divi- 
der ratios  are  made  by  tapping  a single  diffused  or  P-resistance . 

Because  of  the  virtually  infinite  active  device  input  impedance,  very  small 
monolithic  capacitors  are  practical  in  conjunction  with  very  high  value  pinch 
resistors . 

The  technique  for  implementation  of  a practical  voltage  regulator  is  shown 
in  Figure  3-5.  Again,  the  use  of  ion-implant  technology  permits  the  use  of  a 
constant  current  source  (upper  device)  supplying  a constant  voltage  source 
connected  enhancement  mode  device  (lower).  The  regulated  voltage  is  then 
established  as  the  threshold  voltage  of  the  lower  (enhancement)  device. 

Power  supply  tum-on  sensing  can  be  most  efficiently  implemented  by  the  circuit 
of  Figure  3-6  where  a depletion  mode  current  source  charges  a small  monolithic 
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Figure  3-5.  Voltage  Regulator  Implementation 
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Figure  3-6.  Power  Supply  Turn-On  Sensing  Implementation 
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capacitor.  The  initialization  time  (T0)  will  then  be  established  by  the  rate 

of  the  capacitor  voltage  charge  (dv/dt  = lK)  and  the  threshold  (Vx)  of  a fol- 

C 

lowing  stage. 

PROCESSOR  DESIGN 
Basic  System 

The  basic  processor  design  organization,  indicating  major  functions  and  areas, 
is  illustrated  in  Figure  3-7.  Key  areas  are  as  follows: 

Analog  Preprocessing 

A-C  amplification  (X100) , Amplitude  Detection  (Comparator) 
and  Digital  Differentiator. 

Digital  Processing 

— Master  Oscillator  and  Regulator,  and  Clock  Driver. 

— 12-bit  Frequency  Period  Timing  Counter  and  Decoders. 

— Frequency  Consistency  Subroutine  5-bit  Register, 

7-bit  Counter,  a 7-bit  Comparator  and  Control. 

— 5-bit  Cycle  Count  Accumulator  and  Decoders. 

— Four-Program  Flip-Flops  and  Control  Gates. 

— Internal  Control  Gates. 

— Power-On  Detector(s)  (T  , T'). 

o’  o 

— Deploy  Gate  and  Pulse  Generator. 

Bipolar  Power  Circuits 
~ Output  Switches  (series  redundant) 

— Output  Drivers 

— Power  Supply  Zener  Clamp 

A minimum  number  of  external  connections  are  required  for  direct  signal  pro- 
cessing. These  are  the  doppler  input  signal  (e^),  the  impact  switch  line  (S^), 
the  deploy  output  line  (D)  and  B+  and  Ground  (5).  Nine  additional  connections 
are  available  for  efficient  chip  test  and  evaluation.  These  include  the  four- 
program  flip-flops,  the  digitized  input  signal  (a),  and  key  internal  signals. 
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Logic 


The  Processor  program  exact  design  is  shown  in  the  state  flow  diagram  of 
Figure  3-8.  Since  the  decision  point  notations  are  abbreviated  in  the  repre 
sentation,  the  following  definitions  are  pertinent: 


a : 

ed  > emin  = 20  mV  ± 107=,,  i.e.,  a TRUE  output  from  the 
differential  comparator. 

a : 
0 

The  first  comparator  output  pulse;  which  initiates 
processing. 

V 

The  second  comparator  output  pulse,  representing  the 
end  of  the  first  doppler  signal  cycle. 

V 

The  period  corresponding  to  the  limit  for  the  highest 
acceptable  doppler  frequency  (5kHz). 

V 

The  period  corresponding  to  the  limit  for  the  lowest 
acceptable  doppler  frequency  (500  Hz). 

V 

An  accumulation  (count)  of  eight  doppler  signal  cycles. 

X: 

The  output  from  the  frequency  consistency  subroutine 
indicating  that  a cycle  is  improperly  longer  (>1.25) 
or  improperly  shorter  (<  .75)  than  the  first  cycle. 

8t4: 

The  period  corresponding  to  eight  cycles  of  the  max- 
imum acceptable  doppler  frequency  (1.6  ms). 

8t3: 

The  period  corresponding  to  eight  cycles  of  the  3 kHz 
processing  mode  decision  frequency  (2.64  ms). 

8t2: 

The  period  corresponding  to  eight  cycles  of  the  1 kHz 
processing  mode  decision  frequency  (8.0  ms). 

8tl : 

The  period  corresponding  to  eight  cycles  of  the  500  Hz 
minimum  acceptable  doppler  frequency  (16.0  ms). 

T. : 
1 

The  150-ms  period  required  as  a check  time  when  the 
doppler  frequency  is  between  500  Hz  and  1.0  kHz. 

S. : 
i 

The  impact  switch  input  (closure). 

N: 

The  number  of  doppler  signal  cyles  specified  for  trig- 
gering when  the  signal  frequency  is  between  500  Hz 
and  1.0  kHz.  The  processor  design  configuration  uses 
N = 16. 

N' : 

The  number  of  doppler  signal  cycles  specified  for  trig- 
gering when  the  signal  frequency  is  between  1.0  kHz  and 
3.0  kHz.  This  design  uses  N*  = 20. 
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Figure  3-8.  Processor  State  Flow  Diagram 
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D: 


An  accumulation  of  eight  plus  one  doppler  signal 
cycles  as  required  for  triggering  when  the  signal 
frequency  is  between  3.0  kHz  and  5.0  kHz. 

Restraint  deployment  triggering  signal  (16.0  ms 
duration) . 


The  processor  state  flow  program  details  are  as  follows: 

SO:  Steady  State  - where  the  doppler  input  signal  level  is  below  the 

20  mV  (pk-pk)  voltage  level  threshold.  All  processing  func- 
tions are  clear  and  reset;  especially  timing  (frequency) 
and  cycle  count. 

All  invalid  signal  conditions  and  a deploy  output  result 
in  direct  return  to  the  steady  state. 

Sll,  S12:  Initial  Processing  Check  States  - occurrence  of  a signal 

level  greater  than  threshold  (a^)  initiates  the  input 
switch  timing  window  (T^),  the  frequency  validation  and 
classifying  windows  (8t^,  8^,  8t^,  8t^),  and  the  initial 
accept  or  reject  windows  (t^,  t^). 

S21,  S22,  S23,  S24:  Frequency  Classification  States  - If  period  (fre- 

quency) conditions  are  acceptable  in  SI  and  S2  (t,  < t < t ), 

cL  J. 

the  doppler  signal  cycle  count  accepts  a first  pulse  and 
the  5-bit  first  cycle  period  word  (t  ) is  loaded  into  the 

3 

frequency  consistency  check  register.  Frequency  classification 
then  proceeds  until  8 signal  cycles  have  been  counted  or  fre- 
quency inconsistency  is  indicated  (X  =.75  t < t < 1.25  t )• 

3 3 

S31,  S32:  Low  Frequency  Deploy  States  - If  the  eight  cycle  count  (N  ) 

o 

internal  signal  occurs  after  window  8t^  expires  and  before 
window  8t^  expires,  the  program  advances  to  S31,  looking  for 
an  N(16)  cycle  count  before  window  T.  expires.  Normal  satisfac- 
tion of  S31  (N  . T^)  produces  advance  to  the  direct-to-deploy 
(Class  II)  state  S32,  which  leads  to  deploy  when  an  impact 
switch  signal  occurs  before  window  expires. 


S4;  Median  Frequency  (Class  III  Deploy)  State  - This  state  is  achieved 
when  NQ  occurs  after  timing  window  8t  expires  and  before  timing 
window  8t2  expires.  Deploy  is  realized  when  N '(20)  cycle  counts 
occur  before  window  expires. 


S5:  High  Frequency  (Class  IV  Deploy)  State  - This  state  is  achieved 

when  Ng  occurs  after  timing  window  8t^  expires  and  before  timing 
window  8tg  expires.  Deploy  occurs  when  one  additional  count 
(Ng)  is  realized  before  window  T^  expires. 


D (S6):  The  deploy  state  activates  the  power  switches  for  16  ms  to  re- 

lease the  restraint  system  or  other  device.  The  processor  cycling 
loop  is  then  closed  by  return  to  SO. 


Consideration  of  the  program  paths  and  decisions  will  show  that  the  processor 
design  is  highly  weighted  toward  rejecting  invalid  signals  by  a variety  of 
checks  and  balances.  As  a consequence,  it  follows  that  random  logic  features 
are  most  likely  to  result  in  nondelivery  of  an  output  rather  than  spurious 
delivery  of  an  output.  The  system  design  is  also  weighted  against  spurious 
outputs  by  the  program  flip-flop  state  code  assignments  included  in  Figure  3-8. 
In  particular,  it  may  be  seen  that  maximum  distinction  between  steady  state 
and  initial  check  state(s)  vs.  direct-to-deploy  states  is  established  by 
having  a maximum  number  of  ZERO'S  in  the  former  and  a maximum  number  of  ONE's 
in  the  latter. 


Special  Circuits 
Analog  Channel 

A schematic  of  the  MOS  operational  amplifier  (X100),  differential  comparator 
and  reference  voltage  regulator  is  shown  in  Figure  3-9.  The  operational  ampli- 
fier and  comparator  can  be  seen  to  be  largely  identical  with  each  comprising 
a difference  amplifier  stage  followed  by  two  stages  of  grounded-source  voltage 
gain.  The  operational  amplifier  requires  two  gain-breaking  (stabilization)  net- 
works; one  (5M  0-10  pF)  between  the  two  grounded -source  stages  and  the  second 
(100K  0-20  pF)  on  the  feedback  resistance.  The  simple  but  effective  monolithic 
voltage  regulator  is  included  directly  in  the  channel.  Because  of  the  novelty 
of  MOS  analog  circuits  this  design  was  breadboarded  and  thoroughly  evaluated 
using  discrete  components  including  high  (4V)  and  low  (2V)  enhancement  mode 
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Figure  3-9.  MOS  Analog  Channel 


insulated  gate  MOS  transistors  and  depletion  mode  junction  field  effect  tran- 
sistors. The  resulting  amplifier  performance  includes  an  open  loop  gain  of 
10,000  and  a closed  loop  3 dB  frequency  of  10  kHz  for  the  X100  amplifier.  The 
comparator  transfer  function  is  ± 57o,  yielding  a full  channel  switching  accuracy 
of  10  mV  - .5  mV. 

Oscillator  and  Clock  Driver 

The  oscillator  and  clock  driver  circuits  were  breadboarded  and  checked  in 
accordance  with  the  schematic  of  Figure  3-10.  Again,  discrete  enhancement  and 
depletion  mode  field  effect  transistors  were  used  and  the  oscillator  phase  shift 
network  was  mechanical  with  a 4-section  R-C  combination  yielding  efficient  per- 
formance at  100  kHz. 

Because  of  the  regulator  circuit  simplicity,  this  section  has  an  independent 
(of  the  analog  channel)  regulator,  providing  almost  complete  immunity  to  normal 
supply  voltage  variations. 

Power-On  Signal  (T  ) 

The  processor  initialization  circuit  is  shown  in  Figure  3-11  and  includes  the 
basic  current-source  and  capacitor  turn-on  detector  in  combination  with  a d-c 
cross -coupled  latch  for  sharp  pulse  generation.  This  circuit  was  also  verified 
using  discrete  parts  and  indicated  conformance  with  expected  principles. 

SELF -TEST  PROCESSOR 
Purpose  and  Approach 

The  design  and  study  of  the  Crash-Sensor  Signal  Processor  with  auxiliary  self- 
test features  are  based  on  the  complete  fulfillment  of  the  reliability  vs. 
cost  analysis  with  operator  malfunction  indication.  Obviously,  a meaningful 
indication  must  be  based  on  a self-test  program  that  exercises  critical  Signal 
Processor  functions  at  intervals  and  alarms  upon  test  failures. 

In  choosing  the  self-test  intervals,  consideration  was  given  to  two  modes,  one  of 
which  involved  tests  during  automobile  operation  and  the  second  used  at  engine- 
start  only. 
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Figure  3-11.  Power  Turn-On  Detector 
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Since  engine-start  occurs  at  an  average  interval  of  thirty  operating  (driving) 
minutes  (or  less)  this  interval  provides  more  than  ample  improvement  in  MTBF 
requirements  for  the  electronics.  Additionally,  the  test  at  engine-start  is 
much  more  simple  to  mechanize  including  elimination  of  a requirement  to  distin- 
guish test  and  input  signal  processing  as  would  be  required  in  test  during 
- vehicle  operation. 

On  the  above  bases,  the  engine-start  test  mode  was  a clear-cut  preference, 
permitting  all  extra  logic  and  circuitry  to  be  dedicated  to  a comprehensive  self 
test  program. 

The  self-test  program  developed  performs  more  than  the  minimal  checks  implied 
for  the  specified  failure  modes  analysis  since  no-go  conditions  are  also  checked 
These  additional  test  steps  were  added  when  it  was  recognized  that  they  had 
only  a small  complexity  impact  beyond  the  basic  requirements. 

Mechanization  of  the  test  functions  also  makes  maximum  use  of  established  pro- 
cessor functions  so  that  only  approximately  507o  of  the  potential  test  circuit 
failures  are  due  to  add-on  devices. 

Self-Test  Functions 

Figure  3-12  shows  the  self-test  functional  design  including  analog  features  to 
provide  digitally  selectable  signal  amplitudes.  Key  features  are  as  follows: 

Test  Signal  Selection  — The  input  to  the  analog  channel  is 

selectable  between  the  doppler  signal  input  (e  ) and  the 

d 

test  signal  input  (e^).  Appropriate  test  amplitudes  are 
provided  by  a tapped  resistor  divider  network  with  full 
supply  swing  at  the  input  and  low-level  square  waves  at  the 
output.  Selection  is  accomplished  by  series  switches  and 
simple  logic  gates. 

The  basic  test  signal  and  frequency  selection  is  provided 
by  utilizing  the  existing  12-bit  Processor  timing  counter 
(PROC  CNTR  bits  1,2, 5, 6).  At  this  signal  level,  selection 
is  purely  logic  gating. 
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Figure  3-12.  Self  Test  Functions 


Deploy  Pulse  Signal  — Implementation  of  the  test  capability 
requires  insertion  of  disconnect  gates  between  the  deploy 
pulse  generator  and  the  deploy  driver  so  the  restraint  sys- 
tem will  not  be  actuated.  As  a practical  consequence  the 
deploy  drivers  cannot  be  included  in  the  test  process. 
However,  the  low  device  count  and  redundancy  against 
spurious  outputs  in  the  driver  permits  a sufficiently 
high  reliability  without  test. 

Because  the  series  redundant  deploy  drivers  are  each  driven 
by  a separate  (PI,  P2)  pulse  generator  output,  the  test 
deploy  signal  (d)  is  gated  from  both  lines  requiring  that 
both  switch,  i.e.,  d = PI  * P2. 

Impact  Switch  Signal  (S.(tst))  — For  obvious  reasons  the 

impact  switch  cannot  be  actuated  in  the  test  mode;  hence, 
a representative  signal  must  be  otherwise  generated.  This 
is  accomplished  by  again  using  a 12-bit  processor  counter 
output  (bit  12). 

Test  Program  — The  test  program  requires  four  flip-flops 
and  fairly  simple  associated  gates.  Program  input  informa- 
tion includes  the  following. 

Test  deploy  signal  (d)  - new 

Processor  Program  Outputs;  B,C,D  - existing 

Processor  Signals  - T0,  N(16),  N'(20),  a - existing 
Nineteen  Cycle  Count  (N^g)  - derived  from  the  Pro- 
cessor cycle  count  accumulator. 


Test  Gate  and  Lamp  Driver  — The  test  gate  output  (Tst) 
activates  the  vehicle  warning  lamp  during  the  test  cycle 
and  remains  on  when  any  test  failure  occurs.  Consequently, 
the  indicator  lamp  and  circuit  are  checked  for  operation 
during  test.  In  addition  the  signal  (Tst)  provides  the 
driver  and  doppler  input  disconnect  action. 


Test  Program 


J 

Figure  3-13  shows  the  detailed  self-test  program  state  flow  diagram  which 
comprises  11  states  of  single  channel  flow  plus  one  failure  state  latch  con- 
dition. The  decision  point  abbreviations  have  the  following  definitions: 

d : 

SO 


Test  deploy  signal 

Processor  Program  Steady  State 


\ 


N', 


C 


N N '-1* 
1 9 J • 


Power-on  Initialization  Signal 

20-cycle  accumulation  signal 

Processor  Program  Flip-Flop  Bn  presence 
indicating  initial  process  indicating 
initial  process  states  SO  + Sll  + S12,  only. 

Processor  Program  Flip-Flop  C0  presence 
indicating  initial  process  states  SO  + SI,  only. 

16-cycle  accumulation  signal. 

Impact  switch  test  signal  - S^  (tst)  = 102  ms 

19-cycle  accumulation  signal. 


The  test  program  state  activities  are  as  follows; 

TS10:  Power  On  and  Initialization  State  - At  battery  power 

connection  on  engine-start  the  test  cycle  is  started,  with 
the  warning  lamp  on  and  the  Processor  unconstrained  except 
for  deploy  driver  disconnect  and  analog  input  transfer  to 
the  test  signal. 

The  state  is  held  until  the  Processor  is  in  steady  state  (SO) 
and  the  initialization  signal  (Tq)  are  attained  unless  a 
spurious  deploy  indicates  failure. 

No-Go  Tests  - In  the  test  modes,  after  TS10,  the  Processor 
timing  counter  is  enabled  for  signal  generation  which  must 
normally  be  properly  ignored  or  detected. 

TS11:  - A median  frequency  (2.5  kHz)  sub threshold  (10  mV) 

signal  is  applied  until  the  process  counter  100  ms  (S . (tst)) 
window  expires . 
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Figure  3-13.  Self  Test  Program 


Under  these  conditions  no  analog  comparator  output  (a),  deploy 
(d)  or  other  than  steady-state  (SO)  Processor  condition  should 
occur. 

TS12:  The  test  input  signal  is  increased  to  well  above  threshold 

(50  mV)  and  the  test  frequency  is  reduced  to  below  the  acceptable 
lower  frequency  (312  Hz  < 500  Hz). 

Under  these  conditions  the  Processor  is  checked  for  initial 
states  signal  rejection  activity  only  (SO  + Sll  + S12  = Bq) 
for  the  100  ms  period. 

TS13:  The  test  signal  amplitude  is  maintained  at  a relatively 

high  level  (50  mV)  but  the  test  frequency  is  raised  to  above 
the  highest  acceptable  processing  frequency  (10  kHz  > 5 kHz). 

Again,  the  Processor  is  checked  for  program  activity  in  the 
early  check  states  only  (SO  + Sll  = Cq)  for  the  100  ms  period. 

Go  Tests:  In  the  go  tests  the  Processor  must  exhibit  a proper 

pattern  of  behavior.  This  is  primarily  established  by  the 
status  at  a significant  cycle  count  and  the  concurrence  of 
the  deploy  signal  and  its  activating  internal  signal. 

TS21,  TS22:  The  test  signal  amplitude  is  set  marginally 

above  the  minimum  amplitude  threshold  (25  mV)  with  the 
frequency  in  the  Class  II  deploy  range  (500  Hz  < 625  Hz  < 1 kHz). 

In  this  mode  the  Processor  should  not  advance  to  a direct-to- 
deploy  state  or  provide  a deploy  signal  until  the  N(16)  processor 
signal  occurs,  as  checked  in  TS21. 

TS22  then c hecks  that  normal  accumulator  disable  occurs  (N'(20) 
NOT)  and  that  the  deploy  signal  is  concurrent  with  the  applica- 
tion of  the  test  impact  switch  signal. 


TS30:  This  is  a processing  recovery  state  which  verifies 

that  the  deploy  pulse  terminates  and  the  Processor  returns 
to  steady  state  in  the  absence  of  any  test  signal. 

TS31,  TS32:  In  this  go  category  the  Processor  is  checked 

for  Class  III  operation  with  a median  test  frequency  (2.5  kHz) 
and  a minimum  test  amplitude  (25  mV).  Since  deploy  must 
normally  occur  on  the  N'  = 20^  cycle  count  the  processor  is 
checked  for  no  deploy  through  the  19t^1  cycle  count  (TS31) 
and  concurrent  20  th  count  and  deploy  in  TS32. 

TS40;  TSO:  The  test  signal  is  removed  and  upon  attaining 

Processor  steady  state  conditions  in  TS40  the  test  program 
advances  to  the  normal  process  enable  condition  (TSO), 
where  all  test  constraints  are  removed. 

TS50:  Failure  state  - Any  test  program  failure  path  decision 

point  failure  latches  this  state  which  is  a distinct  condition. 
In  addition,  the  test  program  can  stay  locked  in  a test  state 
due  to  the  nonoccurrence  of  an  appropriate  signal.  Both  con- 
ditions result  in  nonattainment  of  normal  operating  conditions 
with  the  warning  light  latched  ON. 


SECTION  4.  RELIABILITY  - COST  ANALYSIS 


APPROACH 

This  section  describes  the  reliability  and  cost  analyses  conducted  by  the 
Burroughs  Product  Analysis  Section  during  the  design  phase  of  the  Automobile 
Crash-Sensor  Signal  Processor  (hereafter  referred  to  as  the  Sensor)  program  for 
the  U.S.  Department  of  Transportation.  Throughout  this  study,  the  underlying 
concept  was  to  deliver  a reliable  and  inexpensive  system  with  provisions  for 
built-in  redundancy  and  fail-safe  circuitry  to  ensure  maximum  safety,  considering 
the  triggering  criteria  outlined  in  Section  2. 

Emphasis  was  placed  on  protection  against  accidental  system  firing  and  observance 
of  the  costs  constraints  specified  in  Exhibit  B of  REP  No.  TSC-TME-0063-ES . To 
ensure  a reliable  design,  a comprehensive  Failure  Mode  and  Effects  Analysis 
was  conducted  to  pinpoint  any  reliability  design  weaknesses.  This  analysis 
resulted  in  the  incorporation  of  several  reliability  design  improvements. 
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The  general  approach  followed  in  the  study  is  outlined  below: 

a.  Analysis  of  the  program  concepts  and  proposed  technology  to  ensure 
compatibility . 

b.  Development  of  a system  prediction  model  consistent  with  the  proposed 
MOS  technology. 

c.  Analysis  of  system  elements  and  logic  by  means  of  a Failure  Mode  and 
Effects  Analysis  to  determine  the  effects  of  specific  failures 

on  the  system. 

d.  Apportionment  of  system  prediction  over  functional  areas  using 
complexity  as  the  apportionment  parameter. 

e.  Categorization  of  all  possible  failures  and  apportionment  of  their 
expected  failure  rates  into  four  failure  classification  as  defined 
in  the  original  RFP  and  enumerated  herein. 

f.  Analysis  of  reliability  and  cost  to  provide  various  configurations  of 
improved  reliability  at  different  cost  increments.  This  analysis 
employed  the  Burroughs  Product  Assurance  Reliability  Computer 
Analysis  Programs. 

g.  Selection  of  optimum  configurations. 


SUMMARY 

The  following  discussion  summarizes  the  salient  numerical  results  of  the  Sensor 
reliability  and  cost  analyses  and  provides  recommendations  concerning  the  selec- 
tion of  system  configurations. 

The  configurations  considered  are  shown  in  Figures  4-1  through  4-7. 
The  reliability  and  cost  for  each  of  these  configurations,  with 
and  without  device  burn-in,  and  the  relative  ranking  of  each 
configuration  based  on  reliability  and  cost,  are  given  in  Table  4-1. 

The  configuration  in  Figure  4-3  has  the  highest  predicted 
reliability.  However,  the  results  of  all  three  system  redundant 
configurations  (Figure  4-2,  4-3,  and  4-4)  are  very  close.  The 
optimum  selection  among  these  three  could  therefore  be  based  on 
other  criteria  not  considered  in  this  analysis. 

The  effect  of  repair  on  predicted  reliability  is  illustrated 
in  Table  4-2. 
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Figure  4-2. 


Figure  4-1.  Basic  System 
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Redundant  MOS 


Figure  4-3.  Redundant  MOS  and  Bipolar 
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Figure  4-4.  MOS/Bipolar  Redundant 
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Figure  4-5.  Voting  MOS  Only 


Figure  4-6.  Voting  MOS  and  Redundant  Bipolar 
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Figure  4-7.  Voting  MOS/Bipolar 


TABLE  4-1.  SYSTEM  CONFIGURATION  RELIABILITY  AND  COST 
(NO  REPAIR) 
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TABLE  4-2. 


PREDICTED  RELIABILITY  (WITHOUT  AND  WITH  REPAIR) 
(CONFIGURATION  4-4) 


Time 

Span 

(yrs) 

Oper . 
hrs 

I 

Failure  Classification 
(without  Repair) 

II  III 

IV 

Failure  Classification 
(with  Repair) 

I II  III  IV 

1 

500' 

.99999987 

.99999987 

.99999999 

.99978917 

1 

1 

1 

.9999999983 

5 

2500 

.99999690 

.99999682 

.99999986 

.99502654 

1 

1 

1 

.9999999624 

10 

5000 

.99998762 

.99998733 

.99999942 

.98148439 

1 

1 

1 

.9999998501 

— - - - - > 

c.  The  approximate  cost  of  the  optimum  configurations  is  about  #4.90  each 
(see  Table  4-1.) 

d.  Manufacturer  burn-in  of  all  chips  is  recommended. 

e.  All  the  above  recommended  configurations  have  built-in  se If -checking 
circuitry  which  can  be  converted  to  a failure  indication  system  for 
the  automobile  operator  by  the  addition  of  only  an  indicator  lamp  on 
the  dashboard. 

f.  The  self  testing  circuit  would  check  for  system  failures  every  time  the 
automobile  engine  is  started  (approximately  every  30  minutes). 

g.  The  basic  circuitry  proposed  is  fail  safe  designed.  The  failure  rate 
by  failure  classification  indicates  that  when  failures  do  occur  in  the 
basic  building  blocks  that  the  system  will  most  often  fail  safe 
(Classification  IV).  Refer  to  Table  4-3. 

TABLE  4-3.  FAILURE  RATE  BY  FAILURE  CLASSIFICATION  (BASIC  DESIGN  CONFIGURATION) 


Failure  Classification 

(Failures/million  hours) 

I 

.705 

II 

.713 

III 

.151 

IV 

24.820 

functional  area  apportionments, 

the  failure  classification  apportionment 

the  failure  mode  and  effects  qualitative  analyses  were  accomplished  concurrently. 
In  this  way,  an  in-depth  understanding  of  the  system  design  techniques  and  pro- 
blems could  be  accomplished  while  the  quantitative  calculations  were  developed. 
This  led  to  an  integrated  design/reliability  product.  It  is  appropriate  now, 
however,  to  discuss  these  analyses  separately. 
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DETERMINATION  OF  BASIC  FAILURE  RATES 


The  bulk  of  the  Sensor  system  is  contained  on  one  monolithic  P-MOS  integrated  circuit 
chip,  which  includes  the  processor,  analog  preprocessing,  digital  processing,  power 
supply  turn-on  detection,  oscillator  and  clock  driver,  and  voltage  regulator  circuitry. 
Self-check  malfunction  indication  circuitry  may  also  be  added  to  this  chip  as  an  option 
The  remainder  of  the  Sensor  system  is  contained  on  a Bipolar  chip  and  consists  of  a 
high  power  current  switch  and  a P-N  junction  Zener  diode  clamp.  For  purposes  of  estab- 
lishing an  overall  failure  rate  prediction,  the  circuitry  is  divided  into  three  main 
groups : 

a.  P-MOS  circuitry 

(1)  Basic  circuitry 

(2)  Self  check  malfunction  indication  circuitry 

b.  Bipolar  high  power  (current)  switch 

c.  Bipolar  P-N  junction  Zener  diode  clamp 

P-MOS  Failure  Rate  Model 

The  failure  rate  prediction  model  used  during  this  study  for  determining  the  failure 
rate  of  the  P-MOS  circuitry  is  developed  in  references  (a)  and  (b) . This  model, 
which  evaluates  the  effect  of  chip  complexity,  packaging,  and  wire  bonds,  was  developed 
under  Rome  Air  Development  Center  sponsorship  and  is  based  on  a survey  of  industry 
experimental  results  and  available  published  information.  The  model  is  applicable  for 
predicting  the  failure  rate  of  circuits  that  meet  the  following  set  of  conditions: 

a.  The  circuits  are  commercially  available  MOS  circuits  manufactured 
with  commonly  used  materials,  processes  and  techniques. 

b.  Early  failures  and  gross  defects  have  been  removed  by  quality 
screening. 

c.  There  is  evidence  from  qualifications  on  other  tests  that  the 
devices  are  typical  of  their  type. 

d.  No  extreme  or  unique  conditions  exist  in  assembly  or  in  subsequent 
handling  or  application  that  might  significantly  degrade  the 
reliability. 

e.  The  directly  applied  or  full-induced  voltages  and  currents  are  held 
within  the  maximum  ratings  specified  by  the  manufacturer. 

f.  No  voltage  surges,  transients  or  spikes  are  allowed  to  reach  the 
devices . 
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Equation  (1)  below  defines  the  model  applied  in  determining  the  failure  rate 
of  the  Sensor  P-MOS  circuitry. 


” XB  ^P  77 E n Q *C  + XW 


(1) 


where, 

X^  Total  failure  rate  of  the  microcircuit 

X_  Basic  failure  rate  for  a particular  type  of  circuit 
B 

XrT  Failure  rate  of  the  wire  bonds 

w 

7r^,  Temperature  adjustment  factor 

7Tp  Packaging  adjustment  factor 

7T  Environmental  adjustment  factor 

7T  Stringency  of  screening  adjustment  factor 

TTp  Fabrication  conditions  adjustment  factor 

7T  Circuit  size  and  complexity  adjustment  factor 

Basic  Circuitry  Failure  Rate  Prediction 

The  numerical  values  established  for  each  of  the  parameters  of  Eq.  (1)  are 
discussed  first  for  the  basic  P-MOS  circuitry  and  then  recalculated  to  include 
the  optional  self  check  malfunction  indication  circuitry.  For  the  basic  circuitry: 

. Basic  Failure  Rate  (X„)  . A basic  failure  rate  of  10  failures/million 

B 

hours  is  specified  in  reference  (a).  This  rate  is  based  on  chips  produced 
prior  to  1971.  However,  newer  devices  embodying  improvement  in  design 
and  processing  have  substantially  lower  failure  rates.  The  chips 
that  will  be  used  in  the  Sensor  will  not  be  produced  in  quantity  until 
at  least  1974.  It  is  expected  that  these  devices  will  have  even  lower 
failure  rates  than  those  of  today's  devices  for  which  data  is 
available.  Therefore,  a proper  adjustment  of  the  above  failure  rate  to 
5 failures/million  hours  would  be  consistent. 


41 


. Adjusting  Factor  for  the  Operating  Temperature  ( 7T  ) . The  basic  failure 
rate  as  based  on  an  ambient  operating  temperature  of  125°C.  Assuming 
the  activation  energy  for  average  degradation  on  operating  life  is 
5Kcal/mole,  at  100°C  maximum  temperature  = 0.5. 

. Wire  Bonds  Failure  Rate  (X  ).  For  a system  using  ultrasonic  bonding  on 
the  package  bond,  aluminum  wire,  gold  plated  packages  and  aluminum 
metalization  on  the  chip,  the  failure  rate  for  wire  bonds  can  be 
calculated  by 

= (.002/10^  hrs.)  W 

where  W is  the  number  of  wires  connecting  dffferent  points  within  the 
package,  as  well  as  those  to  package  leads.  With  W=800, 

XrT  = 1.6  failures/million  hours 

w 

. Adjustment  Factor  for  Package  Type  ( 77  ) . The  following  values  for  77  ^ 

are  for: 

a.  A chip  glassed  with  a material  that  does  not  introduce  an 
instability. 

b.  A gold-silicon  eutectic  chip-to-package  bond. 

c.  A gold  wire  thermal  compression  on  aluminum,  1 percent  silicon 
wire  with  ultrasonic  bonds. 

d.  Hermetic  package. 

7T  p — 1 + .05  L 

where  L is  the  number  of  active  leads  in  excess  of  10.  The  number  of 
active  leads  for  the  system  will  be  5,  therefore  L for  the  Sensor  will 
be  0.  Four  or  five  pins  will  be  used  as  test  points.  System  operation 
is  net  dependent  whatsoever  on  these  test  pins. 

Therefore  77  = 1 

• Environmental  Adjustment  Factor  ( n ) . The  value  of  77  for  a mobile 

h E 

ground  environment  is 

% " 7'° 
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Quality  of  Screening  Adjustment  Factor  ( ^ ) . For  optimum  screening 
if  =1.  This  includes  the  following: 

Q 

a.  Vendor,  line  and  product  qualifications 

b.  Line  discipline  on  an  interference  basis 

c.  Failure  feedback  with  continuous  basis 

d.  Screens  and  burn-in 

e.  Traceability  of  test  data 

Fabrication  Conditions  Adiustment  Factors  ( n_) . Circuits  that  have 

r 

been  in  production  for  at  least  one  year  on  a given  line  with  line 
discipline  on  an  interference  basis,  with  failure  feedback  and 
continuous  corrective  action,  and  with  firm  process  controls  to  prevent 
instabilities  in  both  the  gate  and  field  oxides  will  have 


Circuit  Size  and  Complexity  Adiustment  Factors  ( if  ) 


if  is  defined 


as 


= 0.5  + 


0-5  / A 

\5000, 


where  A is  the  active  area  of  the  chip  in  square  mils.  The  active  area  of 

the  chip  includes  everything  except  border  regions  (scribe  lines,  contact 

lands  and  test  devices)  of  the  chip.  n was  defined  in  terms  of  area 

rather  than  in  terms  of  gates  or  bits  because  of  the  difficulties 

involved  in  defining  gates  and  bits.  ff  equation  was  derived  with  the 

C a 

following  assumptions: 


a.  Tf  should  be  unity  for  an  area  of  5000  square  mils. 

b.  Circuits  having  a chip  area  of  5000  square  mils  are  assumed  to 

have  a failure  rate  that  is  half  due  to  area-independent  effects 
and  half  due  to  area -dependent  effects. 

c.  The  effects  of  area  on  the  failure  rates  are  assumed  to  be  less 

than  if  the  number  of  defects  were  linearly  proportional  to 
area.  It  is  likely  that  a lower  average  defect  density  exists 

in  larger  area  chips  in  order  to  achieve  a good  yield. 


A = 10,000 

*C  = 1*5 


43 


Therefore,  evaluating  equation  1 we  obtain 

^ = (5/l06hrs.)(.5)(l)(7)(l)(l)(1.5)  + (1 .6/106hrs . ) ( . 5) 

= 26.25/106hrs.  + 0.8/106hrs. 

= 27.05  failures/million  hrs. 

This  failure  rate  indicates  how  many  malfunctions  within  the  basic  MOS  chip  will  . 
be  expected  in  a million  hours  of  operation.  However,  as  the  Failure  Mode  and 
Effect  Analysis  will  show,  this  is  not  the  number  of  chip  failures  expected. 

Certain  specific  malfunctions  will  not  hinder  the  operation  of  the  system  and 

therefore  are  not  system  failures.  This  rate  is  to  be  construed  as  a basic 

chip  malfunction  rate  only,  which  will  be  developed  into  a meaningful  failure  rate. 

Basic  Circuitry  with  Self-Check  Test  Circuit  Failure  Rate  Prediction 

A test  circuit  design  has  been  developed  for  the  Sensor  system.  The  test  circuit 
and  basic  system  are  included  on  one  MOS  chip.  The  basic  circuitry  covers  about 
10,000  square  mils  of  Surface  area  and  the  test  circuit  an  additional  2500  square 
mils.  The  test  circuit  will  have  two  basic  functions  of  which  one  or  both  can 
be  utilized  simultaneously. 

The  test  circuit  will  be  needed  in  any  on-line  redundant  system  configuration 
(this  does  not  include  voting  logic  configurations)  to  determine  when  one 
redundant  branch  has  failed  so  that  the  system  can  utilize  the  other  branch. 

The  test  circuit  will  monitor  each  redundant  branch  and  tell  the  sensing  switch 
logic  to  switch  to  the  alternate  branch  when  one  has  failed.  Each  redundant 
branch  will  have  its  own  test  circuit  since  this  simplifies  the  design  and 
minimizes  manufacturing  costs  (only  one  type  chip  need  be  made). 

Second,  the  test  circuit  can  be  utilized  as  a failure  indicator  system  for  the 
automobile  operator.  The  test  circuit  will  check  the  Sensor  system  every  time 
the  automobile  is  started  (approximately  every  30  minutes).  If  a failure  has 
occurred,  an  indicator  on  the  dashboard  will  light. 

The  failure  rate  prediction  for  the  test  circuit  uses  the  math  model  given  in 
eq.(l).  7T  designates  the  factor  that  weights  the  circuit  size  and  complexity. 

From  eq.  (1), 

ir  n = 0.5  + 0.5  / A \ 

\5000  ) 
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where  A is  the  active  area  of  the  chip  in  square  mils.  tt  is  the  only  factor 

changed  in  the  MOS  prediction  when  the  test  circuit  is  considered.  "A”  for  the 
basic  system  plus  the  test  circuit  is  12,500  square  mils.  Therefore  n = 1.75 
( it  for  the  basic  system  alone  = 1.5). 

A failure  rate  for  the  basic  and  test  circuit  chip  can  be  predicted  as  follows 
1.75  1.5  _ ^ change 

1 * J 

27.05  X .167  = 4.52  failures/10^  hrs.  additional  for  the  test 

circuit . 

Bipolar  High  Power  (Current)  Switch  Failure  Rate  Prediction 

The  Bipolar  High  Power  (Current  ) Switch  consists  of  an  eight  element  arrange- 
ment (4  transistors  and  4 diffused  resistors)  for  a high  current  (p=:10A), 
short  duration  switching  deploy  signal.  RADC  has  established  a failure  rate 
of  .07  failures/million  hours  for  a more  complex  but  similar  type  device. 

These  devices  have  on  an  average  20  elements.  Therefore,  for  our  function  at 

o 

maximum  operating  temperature  of  100  C,  the  basic  failure  rate  is: 

-|q  X -07  (F/106hrs.)  = .028  F/106hrs. 

Our  K factor  for  vehicle  mounted  devices  is  7,  therefore,  device  failure  rate 
is : 

.028  X 7 = 0.196  failures/million  hours 
Bipolar  Zener  Diode  Clamp  Prediction 

This  prediction  is  based  on  the  mathematical  model  presented  in  the  RADC  reliability 
notebook.  An  assumed  maximum  operating  temperature  of  100°C  was  used  in  making 
the  calculation.  Power  rating  based  on  standard  derating  curve  where  the 
temperature  derating  point  is  25°C  and  the  maximum  junction  temperature  is 
175°C.  Stress  ratio  for  the  device  was  assumed  to  have  an  actual  power  ratio 
of  0.3  to  the  maximum  rated  power  dissipated  at  25°C . A vehicle  mounted 
environment  was  considered.  Therefore 

X = 0.020664  failures/  million  hours 
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FAILURE  MODE  AND  EFFECTS  ANALYSIS  (FMEA) 

The  detailed  FMEA  is  included  with  this  report  as  Appendix  A.  The  information 
included  is  as  follows: 

! 

Name  and/or  Code  of  the  element,  logic  or  gate  in  the 
function  being  examined. 

The  basic  function  of  the  element,  logic  or  gate  being 
examined . 

The  failure  mode  associated  with  the  element,  logic  or  gate 
being  examined.  These  include  short,  open,  partial  short, 
stuck  high  and  stuck  low. 

In  column  4 are  noted  the  mechanisms  of  failure  which  could 
result  in  the  mode  described  in  column  3.  The  failure 
mechanisms  considered  were:  hole  in  oxide,  ion  migration, 
and  electroraigration. 

The  effect  that  the  failure  mode  described  in  column  3 will 
have  on  the  function  is  described  here. 


Column  1 


Column  2 


Column  3 


Column  4 


Column  5 


Column  6 


Column  7 


Column  8 
Column  9 


The  effect  that  the  failure  mode  described  in  column  3 will 
have  on  the  system  is  described  here. 

The  failure  rate  apportionment  for  the  failure  mode  described 
in  column  3.  This  indicates  the  number  of  expected  failures 
of  this  mode  per  million  hours  of  operation. 

Remarks 

Classification  of  each  failure  mode  into  one  the  four  failure 
classifications  as  follows: 

I Triggering  with  signal  not  present,  or  with  signal  less 
than  50  percent  of  the  specified  threshold  for  amplitude, 
frequency  or  cycle  count. 

II  Triggering  with  signal  amplitude,  frequency  or  cycle  count 
between  threshold  and  50  percent  of  threshold. 

III  Inability  to  trigger  with  amplitude,  frequency  or  cycle 
count  greater  than  threshold,  but  less  than  1.5  times 
the  threshold  value. 

IV  Inability  to  trigger  with  frequency,  amplitude,  or  cycle 
count  1.5  times  threshold  or  greater.  (This  includes  the 
completely  inoperable  state.) 
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Functional  Area  and  Failure  Classification  Apportionment 


The  system  is  composed  of  discrete  areas , each  with  one  or  more  specific  functions. 
These  functional  areas  are  the  basis  for  our  studies  into  how  the  system  operates, 
i.e.,  interdependencies  of  the  functional  areas  on  each  other  and  the  system,  and 
failure  rate  apportionments  throughout  individual  elements  and  logic  within  the 
functions.  It  has  been  assumed  that  failures  will  occur  randomly  throughout  the 
system  in  that  no  specific  section  of  the  chip  area  will  experience  more  failures 
than  any  other  section  of  equal  area.  This  technique  uses  complexity  of  the 
function  as  a criterion  for  the  apportionment.  Since  over  99  percent  of  all 
elements  are  active  transistors,  it  has  been  assumed  that  all  elements  within 
the  function  have  an  equal  chance  of  failing.  This  approach  considers  the  fact 
that  ion  migration,  which  is  a prominent  failure  mechanism  in  MOS  circuitry,  is 
most  dominant  in  active  elements,  and  that  there  is  a very  small  number  of 
resistor-capacitor  type  elements.  The  necessity  of  developing  an  elaborate 
apportionment  technique  for  active  versus  passive  elements  is  thereby  avoided. 

Table  4-4  provides  a tabulation  of  the  functional  area  complexity  factors  and 
failure  rates.  The  basis  for  reliability  allocation  to  each  functional  area  is 
discussed  below. 

Pursuant  to  reference  (a)  and  other  research  material  on  the  subject,  the 
following  parameters  for  failure  rate  apportionment  have  been  used. 

a.  The  probabilities  of  occurrence  associated  with  the  failure  modes  of  an 
individual  element  (transistor,  resistor,  etc.)  given  that  the  element 
has  failed  are  shorts  0.9  and  opens  0.1.  Shorts  occur  due  to  ion 
migration  and  pinholes  in  the  oxide.  Opens  indicate  a mechanical  break 
in  the  wire  or  metalization  paths.  These  probabilities  reflect  the 
relatively  infrequent  observance  of  open  circuits  in  hermetically 
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TABLE  4-4.  SYSTEM  FAILURE  RATE  APPORTIONED  BY  FUNCTIONAL  AREA 


Failure  Rate  Associated 

Functional  Area  Name  Complexity  Factor  with  Functional  Area 

. (F / 106Hrs . ) 

A - MOS  CIRCUITRY 


1) 

Amplifier 

.0172 

0.464031 

2) 

Clock  Driver 

.0098 

0.265196 

3) 

Clock  Oscillator 

.0061 

0.165747 

4) 

Compare 

.1005 

2.718260 

5) 

Decoder 

.0453 

1.226532 

6) 

Deploy  Switch  & Pulse  Generator 

.0270 

0.729289 

7) 

Differential  Comparator 

.0135 

0.364645 

8) 

Digital  Differentiator 

.0123 

0.331495 

9) 

Internal  Control 

.0257 

0.696140 

10) 

Power  Detector 

.0123 

0.331495 

ID 

Program  Gates 

.0882 

2.386765 

12) 

Program  State  Flip-Flops 

.0809 

2.187868 

!3) 

Subroutine  Control 

.0257 

0.696140 

14) 

Voltage  Regulator 

.0061 

0.165748 

15) 

5-Bit  Accumulator 

.1103 

2.983456 

16) 

5-Bit  Register 

.0613 

1.657475 

17) 

7-Bit  Counter 

.1275 

3.447549 

18) 

7-Bit  Decoder 

.0294 

0.795588 

19) 

12-Bit  Counter 

.2010 

5.436520 

B - 

Clamp 

- 

0.020664 

C - 

High  Power  Switch 

- 

0.196000 

sealed  packages.  Moisture  problems  in  plastic  packages  can  cause 
corrosion  of  metalization  which  leads  to  opens.  With  hermetically 
sealed  packages  this  problem  is  virtually  eliminated. 

b.  Where  the  analysis  of  a logic  circuit  shows  that  approximately  half  the 
element  failures  within  that  logic  will  result  in  the  circuit  sticking 
“high**  and  half  the  failures  result  in  the  circuit  sticking  “low**, 

0.5  will  be  used  for  the  probability  of  each  event  occurring,  given  that 
a failure  has  occurred  in  that  logic  circuit. 

c.  In  a situation  where  many  results  are  possible  depending  on  the  system 
status  at  the  time  of  failure,  and  only  one  or  a few  of  these  results 
will  cause  a system  malfunction,  a worst  case  assumption  is  made. 

d.  The  assumption  of  partial  shorts  (in  the  case  of  resistors)  and  parameter 
changes  are  included  in  the  appraisal  of  short/open  failure  modes.  When 
a parameter  change  or  partial  short  of  an  element  would  affect  the 
system  differently  than  short  or  open,  it  is  noted  in  the  FMEA  tables. 

In  these  cases  equal  probability  values  are  assigned  to  each  mode.  This 
provides  consistency  in  our  conservative  prediction  technique. 

e.  Whenever  an  element  failure  mode  (short,  open)  can  be  classified  into 
more  than  one  failure  classification  (I,  II,  III,  or  IV)  depending  on 
the  system  state  when  the  element  failure  occurs,  a linear  apportionment 
of  the  failure  rate  was  made.  For  example,  a short  in  the  input  coupling 
capacitor  (C4)  of  the  differential  comparator  could  make  the  system 
abnormally  sensitive,  nonsensitive  or  lockup  depending  on  the  balance 

of  the  amplifier  output  to  reference  at  the  time  of  failure  (Time  of 
failure  is  the  deciding  factor).  The  failure  rate  associated  with  a C4 
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short  is  .029835  failures/million  hours.  Accordingly,  the  probabilities 
associated  with  each  failure  classification  will  be  0.25  the  above 
failure  rate  (sensitive  corresponding  to  I or  II  and  insensitive 
corresponding  to  III  or  IV). 

The  following  conditions  were  considered  in  evaluation  of  each  failure  mode  to 
provide  accuracy  and  consistency  in  classification. 

a.  A specific  failure  could  cause  a specific  system  effect  which  falls  into 
only  one  failure  classification. 

Example:  5 Bit  Accumulator  - Flip  Flop  4 - Stuck  1 - would  cause  the 

system  to  fire  on  the  8th  cycle  count  instead  of  the  9th.  This  fits  the 
definition  of  Class  II  only,  i.e.,  firing  between  .5  and  1.0  of  threshold 
cycle  count. 

In  this  case  the  failure  rate  assigned  to  the  classification  is  equal  to 
the  element  failure  rate. 

b.  A specific  failure  could  cause  the  system  to  be  completely  inoperative. 

By  definition  this  fits  failure  classification  IV  since  the  system  would 
not  operate  at  any  signal  level.  Therefore,  the  element  failure  rate 

is  also  assigned  to  classification  IV.  This  was  by  far  the  most  common 
result  of  a system  failure. 

c.  A specific  failure  could  cause  the  system  to  become  insensitive,  the 
degree  depending  on  the  status  of  the  system  at  the  time  of  failure. 

This  insensitivity  could  be  a class  III  or  class  IV  failure.  In  this 
case  the  failure  rate  is  assigned  equally  to  class  III  and  to  class  IV. 


d.  A specific  failure  could  cause  the  system  to  be  some  degree  more 

sensitive  or  insensitive  depending  on  the  time  and  specific  type  of 
failure.  This  event  includes  the  possibility  of  a class  I or  II,  or 
III  or  TV  failure.  Only  one  classification  will  be  encountered  if 
the  element  fails  but  it  is  relatively  impossible  to  determine  in 
advance  which  classification  the  event  will  fit.  For  example:  On  a 

shorted  pinch  resistor,  depending  on  how  much  of  the  resistor  is 
shorted  and  whether  the  short  occurs  on  the  left  or  right  side  of  the 
tap  will  determine  what  the  system  result  will  be.  Therefore,  failure 
rate  is  allocated  equally  to  the  four  failure  classes. 

e.  A specific  element  failure  could  cause  no  apparent  effect  on  the  system. 

In  this  case  the  failure  fits  into  no  classification. 

The  FMEA  tables  in  the  appendix  detail  the  system  breakdown  and  failure  rate 
apportionment . 

Qualitative  Analysis 

For  this  analysis  the  system  was  divided  into  21  functional  areas  and  then 
subdivided  into  elements,  gates  or  basic  logic  depending  on  their  applicability 
to  the  function.  Each  subdivision  was  examined  for  possible  failures  and  the  effect 
of  these  failures  on  the  function  and  the  system.  It  was  determined  that  short  and 
open  failure  modes  were  the  most  prominent  in  this  type  of  circuitry  and  most 
emphasis  was  placed  on  them.  Failure  analysis  research  performed  on  MOS 
circuitry  indicates  that  ion  migration  and  pinholes  in  the  oxide  are  the  most 
common  cause  of  shorts.  Very  basically,  ion  migration  is  a phenomenon  whereby 
impurity  ions  migrate  to  positions  of  opposite  charge  which  induces  migration  of 
electrons  or  holes  into  the  semiconductor  in  the  adjacent  junction  area.  This 
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causes  channel  formations  of  opposite  charged  material  between  junction  areas 
which  can  cause  short  circuits. 

Pinholes  are  associated  with  imperfections  in  the  oxide  usually  resulting  from 
process.  This  forms  holes  in  the  oxide  in  a thin  oxide  area.  These  two  failure 
mechanisms  are  important  in  MOS  circuitry  because  oxide  is  very  thin.  Electrical 
potential  can  break  down  the  thin  oxide  layers  more  easily  than  in  Bipolar  circuits 
where  the  oxide  layers  are  thicker. 

Opens  occur  due  to  electromigration  (metal  migration).  Simply  stated,  this  is 
caused  by  a high  current  density  in  the  metalization  paths  causing  an  erosion  of 
metal  ions.  The  metal  simply  migrates  gradually,  leaving  gaps  in  the  metal  path. 
This  discussion  is  by  no  means  an  attempt  to  provide  a technical  explanation  of 
failure  mechanisms  but  instead  indicates  the  considerations  involved  in  this 
analysis.  An  in-depth  discussion  of  failure  mechanisms  can  be  found  in  references 
(a),  (c),  and  (d) . 

By  definition,  failure  classifications  I and  II  are  less  desirable  than  failure 
classifications  III  and  IV.  Table  4-5  outlines  a priority  list  of  critical  failures 
for  the  basic  design,  from  the  Failure  Mode  and  Effects  Analysis  Tables,  in  order 
of  significance.  It  should  be  noted,  however,  that  comparison  of  their  relative 
criticality  to  one  another  is  not  intended,  but  rather  their  criticality  to  the 
system. 

The  most  important  point  that  the  FMEA  emphasizes  is  the  relatively  fail-safe 
inter-dependent  functional  design  of  the  system.  Frequency,  amplitude  and  cycle 
count  are  processed  and  evaluated  individually  by  different  functions  in  the 
circuit.  A failure  of  any  one  area  can  only  cause  the  system  to  act  abnormally 
as  to  that  one  signal  component.  To  provide  a triggering  signal  the  individual 
functional  areas  must  provide  proper  processing  of  the  signal  components.  In  most 
cases  a failure  of  one  element  will  cause  the  system  to  become  inoperative  thus 
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TABLE  4-5.  PRIORITY  LIST  OF  CRITICALITY 
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Deploy  Switch  & Set  Input  Short  .072928921  Same  as 

Pulse  Generator 


TABLE  4-5.  PRIORITY  LIST  OF  CRITICALITY  (CONTINUED) 
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Amplifier  R1  Partial  .031880016  Amplifier  gain  can  increase,  causing  a smaller 

Short  than  threshold  amplitude  component  of  input 

signal  to  be  acceptable  for  firing.  However, 
frequency  and  cycle  count  are  constraints  and 
this  signal  is  checked  by  other  functions. 
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failing  safe  (classification  IV).  By  definition  this  type  of  failure  mode  is 
least  undesirable.. 

In  some  cases,  however,  a failure  of  an  element,  gate  or  logic  could  possibly 
cause  a premature  firing.  All  of  these  cases  are  listed  in  Table  4-5.  The  inter- 
dependency of  design  provides  that  most  of  these  failures  will  be  constrained  by 
checks  and  balances  in  other  functions  within  the  system.  For  example,  a partial 
short  of  R1  in  the  amplifier  ( No.  12  Table  4-5)  can  allow  a small  input  signal 
to  be  processed  as  having  a proper  threshold  amplitude.  However,  the  system 
will  not  trigger  unless  the  proper  frequency  and  cycle  count,  which  are  processed 
and  evaluated  by  different  functional  areas,  are  also  present.  This  relationship 
can  be  understood  more  fully  by  examining  items  No.  6 through  16  in  Table  4-5. 

The  most  critical  areas  in  the  circuit  from  a premature  firing  standpoint  are  the 

deploy  switch  and  pulse  generator,  and  the  power  on  detector  functions.  These 

areas  provide  for  initialization  of  all  functions.  Individual  failures  of  specific 

elements  in  these  functions  can  cause  the  pulse  generator  not  to  initialize  and 

result  in  the  system  triggering  when  the  automobile  ignition  switch  is  activated 

(i.e.,  when  starting  the  car).  For  example,  an  open  T input  device  in  the  pulse 

o 

generator  (No.  1 Table  4-5  ) inhibits  TQ  signal  into  the  flip-flop  and  prevents 

Initialization.  Specific  failures  in  the  current  source  (short)  and  capacitor  (open) 

in  the  power  detector  function  also  prevent  initialization.  To  reduce  significantly 

the  possibility  of  this  occurring  a redundant  T^  input  device,  current  source,  and 

capacitor  have  been  added  to  the  basic  design.  This  insures  that  either  T or  T ( 

o o 

signal  will  be  present  even  though  a failure  has  occurred  in  the  function. 

In  general,  a failure  of  any  other  area  will  cause  the  system  to  become  inoperative 
(failure  classification  IV).  There  are  a few  failures  that  will  cause  the 
system  to  be  slightly  insensitive  (failure  classification  III).  They  can  be  seen 
by  examining  the  FMEA  tables. 
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RELIABILITY  AND  COST  ANALYSIS 


The  basic  system  failure  rates  allocated  to  each  failure  classification  are  shown 
in  Table  4-6.  This  represents  the  initial  design  configuration.  The  design  of 
the  basic  MOS  chip  has  been  improved  as  described  above  by  the  addition  of 
redundant  elements  in  critical  areas.  These  improvements  result  in  a reduction 
of  the  Failure  Rate  of  the  basic  chip  as  follows: 


Failure  Classification 

I 

II 

III 

IV 

Basic  System  (Table  4-6  ) 

.729538 

.729587 

.151061 

24.820457* 

Redundant  Built-in  Elements 

-.024678 

-.016575 

Improved  Basic  System  with 

Redundant  Elements  (\) 

.704860 

.713012 

.151061 

24.820457* 

The  above  failure  rates  were  used  for  the  reliability  redundancy  analysis. 

Seven  design  configurations  were  considered  for  our  reliability/cost  study 
(Figures  4-1  through  4-7). 

a.  Basic  System 

b.  Redundant  MOS 

c.  Redundant  MOS  & Bipolar 

d.  MOS/Bipolar  Redundant 

e.  Voting  MOS  only 

f.  Voting  MOS  & Redundant  Bipolar 

I 

g.  Voting  MOS/Bipolar 

Also,  each  configuration  was  analyzed  as  to  burn-in  or  no  burn-in.  This  provided 
14  variations  of  the  basic  design. 

I 



* 

Includes  .077397  failure/million  hours  for  the  Bipolar  circuit. 
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Table  4-6.  BASIC  SYSTEM  FAILURE  RATES  BY  CLASSIFICATION 


Failure  Classification  Failure  Rates  (F/10^  Hrs.) 
Functional  Area  Name  I II  III  IV 


A — MOS  Circuitry 


1) 

Amplifier 

.010627 

.010627 

.035422 

.407356 

2) 

Clock  Driver 

- 

- 

- 

.265196 

3) 

Clock  Oscillator 

.003729 

.003725 

.003729 

.154560 

4) 

Compare 

- 

- 

- 

2.718260 

5) 

Decoder 

.110388 

- 

- 

1.054817 

6) 

Deploy  Switch 

& Pulse  Generator 

.081032 

.145858 

- 

.421367 

7) 

Differential  Comparator 

.015716 

.015746 

.015746 

.317407 

8) 

Digital  Differentiator 

- 

- 

- 

.331495 

9) 

Internal  Control 

- 

.029036 

.029036 

.551141 

10) 

Power  Detector 

.023205 

.023205 

- 

.165749 

ID 

Program  Gates 

.020718 

.020718 

.020719 

2.324609 

12) 

Program  State  Flip-Flops 

- 

- 

- 

2.187868 

13) 

Subroutine  Control 

- 

- 

- 

.348070 

14) 

Voltage  Regulator 

- 

.016575 

.046409 

.102763 

15) 

5-Bit  Accumulator 

.464063 

.464097 

- 

2.055270 

16) 

5-Bit  Register 

- 

- 

- 

1.657475 

17) 

7-Bit  Counter 

- 

- 

- 

3.447549 

18) 

7-Bit  Decoder 

- 

- 

- 

.795588 

19) 

12-Bit  Counter 

- 

- 

- 

5.436519 

B - 

Clamp 

- 

- 

- 

.018598 

C - 

High  Power  Switch 

- 

- 

- 

.058800 

TOTAL  SYSTEM 

.729538 

.729587 

.151061 

24.820457 
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Costing  estimates  for  the  various  configurations  are  shown  in  Table  4-1. 
Estimates  were  made  for  production  levels  of  100,000,  1,000,000,  and 
10,000,000  units  per  year  based  on  the  following  factors.  The  following 
gives  incremental  costs  for  the  desired  system  factors  utilized  in  Table  4-1. 


Criteria 

Production  Level 

105/Year 

106/Year 

107/Year 

1. 

Basic  System  (1  Basis  MOS 
Chip  & 1 Bipolar  Chip) 

$3.25 

$2.50 

$2.00 

2. 

Burn-In 

0.30 

0.25 

0.20 

3. 

Self  Check  Circuitry 

0.05 

0.03 

0.02 

4. 

Additional  MOS  Chips 

1.00 

0.80 

0.60 

5. 

Additional  Bipolar  Chips 

0.30 

0.20 

0.15 

6. 

Large  Packaging  (Needed  for 
Voting  Logic  Designs) 

0.30 

0.25 

0.20 

The  following  considerations  apply  to  the  Reliability  Cost  Analysis: 

a.  Any  design  using  redundant  circuits  (not  voting  logic)  must  also  have 
self  check  circuitry  to  determine  when  one  path  has  failed.  In  these 
cases  the  cost  and  reliability  of  the  test  circuit  are  considered  in 
the  analysis.  This  self  check  circuit  is  identical  in  design  to  the 
indication  circuit  but  without  an  indicator.  Its  exclusive  use  is  to 
sense  when  one  redundant  path  has  failed  so  that  the  other  path  may 
take  over.  The  additional  cost  of  having  the  test  circuit  and  system 
circuit  on  the  same  chip  is  minimal  (about  $0.02  to  $0.05  per  chip 
depending  on  production  level). 

b.  The  failure  rate  for  new  MOS  chips  is  not  constant,  but  decreases  with 
time  during  the  first  several  hundred  hours  of  operation  due  to  early 
life  failures.  The  question  arises  therefore  whether  the  chip  should 

be  burned-in  by  the  manufacturer.  This  problem  is  examined  by  evaluating 
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the  failures  saved  by  burn-in  relative  to  the  cost.  The  cost  of  burn-in 
buys:  1)  a 100%  screening  before  burn-in,  2)  the  burn-in  itself, 

and  3)  a 100%  check  after  burn-in.  To  be  consistent  with  the  prediction 
model  used  previously,  a factor  of  2 is  designated  for  MOS  chips  for 
processing  using  screens  and  burn-in  comparable  to  RADC  Spec  2867  based 
on  limited  testing  (sample  subjected  to  destructive  tests  to  establish 
absolute  limits  of  stressing  which  devices  can  withstand)  to  identify 
major  failure  modes  and  mechanisms  to  which  screens  are  tailored.  On 
the  other  hand,  a factor  of  1 is  designated  for  optimum  screening 
(100%  burn-in).  Therefore,  placing  a 2 in  the  basic  prediction  for 
7r  instead  of  1 yields  the  chip  failure  rates  without  100%  burn-in. 

1 II  III  IV 

MOS  1.40972  1.426024  .302122  49.486120 

BIPOLAR  - - .154795 

TOTAL  1.40972  1.426024  .302122  49.640915 

The  cost  of  burn-in  is  estimated  at  $0.20  to  $0.30  per  chip  depending  on 
production  level. 

c.  Since  the  four  failure  classifications  represent  different  degrees  of 

acceptability,  weighting  factors  were  applied  to  each  failure  classification 
as  a basis  for  relative  consideration  in  the  analysis.  In  this  way  a fair 
comparison  of  configurations  could  be  made.  A factor  of  4 was  utilized 
between  successive  failure  classifications.  That  is,  one  Class  I failure 
was  as  desirable  (or  undesirable)  as  4 Class  II  failures,  or  16  Class  III 
failures  or  64  Class  IV  failures.  Refer  to  Table '4-7. 


The  last  column  of  Table  4-1  contains  the  ranking  of  the  configurations  to  each  other 
based  on  a calculation  of  unreliability  multiplied  by  cost.  Since  both  unreliability 
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TABLE  4-7.  FAILURE  RATES  AND  WEIGHT  FACTORS  FOR  BASIC  BUILDING  BLOCKS 

( X = F/106  Hrs . ) 
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and  cost  are  parameters  which  should  be  minimized,  the  minimum  "cost  x reliabil- 
ity" calculation  indicates  the  optimum  conf iguration.  Unreliability  was  used 
instead  of  reliability  because  reliability  is  an  exponential  function  which  is 
not  directly  compatible  in  this  type  of  analysis  with  cost,  which  is  a linear 
function.  Unreliability  can  be  shown  to  be  approximately  linear  to  failure 
rate  by  the  first  order  expansion  of  the  unreliability.  That  is: 

U = 1 - R 
= 1 - e-*T 
— 1 — (1  - XT) 

=2  AT 

The  most  reliable  systems  are  all  burned-in,  redundant  design  (not  voting  logic) 
and  relatively  medium  priced.  All  of  the  redundant  configurations  are  more 
reliable  and  cost  less  than  the  voting  logic  configurations.  For  instance  the 
most  reliable  redundant  design  (Figure  4-3)  costs  $4.90  and  total  system 
reliability  is  .999766;  the  most  reliable  voting  logic  design  (Figure  4-6)  costs 
$6.15  and  total  system  reliability  is  .999492. 

Configurations  not  burned-in  are  at  the  bottom  of  the  reliability  scale.  Another 
very  important  feature  of  the  redundant  configuration  is  the  fact  that  circuit 
failure  indication  is  already  built  in.  Only  an  indicator  on  the  auto  dashboard 
and  very  minor  circuitry  are  needed.  The  impact  of  the  addition  of  an  indication 
system  and  maintenance  on  reliability  is  discussed  below. 

The  range  of  costs  considered  for  the  14  configurations  represents  a full  range 
of  available  circuits. 

Figure  4-3  bas  the  highest  total  system  reliability.  This  calculation  (total 
system  reliability)  indicates  the  probability  that  the  system  will  not  fail  due 
to  any  combination  of  system  failure  classification  failures.  The  breakdown 
into  failure  classification  for  Figure  4-3  configuration  is  as  follows: 
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Classification  Number 


I 

T = 500  Hrs . .99999987 
T = 2500  Hrs.  .99999690 
T = 5000  Hrs.  .99998762 


n 

.99999987 

.99999682 

.99998733 


III 

.99999999 

.99999986 

.99999942 


IV 

.99978917 

.99502654 

.98148439 


Total  System 
.999766 
.994500 
.979602 


For  example,  at  T = 500  Hrs.  (1  year  operation)  the  probability  of  a Class  I 
failure  is  13  chances  in  100  million.  At  T = 5000  hrs.  (10  years  operation), 
the  probability  of  a Class  IV  failure  is  about  1 in  50.  These  results  are 
representative  for  the  other  redundant  circuits  (Figures  4-2  and  4-4).  The 
above  calculations  demonstrate  the  high  fail  safe  design  of  this  system.  If 
the  system  does  fail,  it  will  fail  safe  rather  than  triggering  accidentally. 
These  calculations  have  been  made  for  a system  without  repair.  The  calculations 
below  show  the  effect  maintenance  has  on  the  reliability,  i.e.,  with  the 
addition  of  a dashboard  indicator  lamp  and  immediate  replacement  when  the  lamp 
lights . 


The  test  circuit  will  check  the  system  every  time  the  car  engine  is  started 
(assuming  0.5  hr.).  The  system  reliability  follows  a sawtooth  curve: 


Every  time  the  test  finds  the  system  functioning  properly,  the  reliability  curve 
starts  over  again.  Therefore,  the  reliability  of  the  circuit  at  t = .5  is: 

R(t)  = e 'X  C 

RL(t)  > Rr  (t  = .5)  = e'Xl  X *5 


63 


R (t)  = R x R 
sys  I II 

where  R^  = Reliability  of  the  MOS  circuit  (1  out  of  2) 


R = Reliability  of  the  Bipolar  circuit  (1  out  of  2) 


The  test  circuit  does  not  check  the  Bipolar  circuit,  therefore,  the  reliability 
of  Configuration  3 with  a failure  indication  system  is: 


R (t)  > 
sys  — 


1 - W-Vs)5' 


1 - 


For  t = 500  hrs: 


R 


sys 


(t)  > £l  - (1-e'^1  ,5)2J  j\  - (l-e"X2  500)2j 


Similarly  for  R = 2500  and  5000  hrs.  The  table  below  gives  the  calculated 
values : 


T = 500  Hrs. 
T = 2500  Hrs. 
T = 5000  Hrs. 


Classification  Number 

i n hi 

ill 

ill 

ill 


IV 

.9999999983 

.9999999624 

.9999998501 


It  can  be  seen  that  the  system  reliability,  when  a failure  indicator  and  main- 
tenance philosophy  are  introduced,  is  greatly  increased.  In  fact,  the  system 
reliability  is  now  almost  wholly  dependent  on  the  reliability  of  the  redundant 
Bipolar  circuit. 


SECTION  5.  REPORT  SUMMARY 


OVERALL  DESIGN  PLAN 

The  Burroughs  approach  to  the  Crash  Sensor  Signal  Processor  is  based  on  a 
digital,  MOS  integrated  circuit  technology.  There  are  many  advantages  to  this 
method  of  implementation,  the  most  important  being  as  follows: 

1.  Digital  processing  is  highly  accurate  and  sophisticated 
decision  criteria  can  be  readily  implemented. 

2.  Because  discrete  (analog)  components  are  largely 
absent,  size,  cost,  and  unreliable  soldered  connections 
are  minimized. 

3.  MOS  technology  permits  a high  device  count  per  chip,  so 
that  redundancy  and  self -checking  can  be  included  to 
improve  reliability. 

4.  The  analog  properties  of  MOS  devices  are  compatible  with 
the  preamplification  required  for  interfacing  the  radar 
system  with  the  digital  processor,  so  that  the  entire 
system  except  for  the  high  power  output  driver  can  be 
incorporated  on  a single  chip. 

5.  The  MOS  process  requires  a minimum  number  of  diffusion 
steps,  and  is  thus  inherently  low  in  cost,  offers  a high 
yield,  and  is  amenable  to  very  high  production  rates. 


REDUNDANT  CIRCUITRY  COST/EFFECTIVENESS 

The  cost/effectiveness  of  providing  a redundant  processing  channel  is  excellent. 
The  improvement  in  reliability  is  formidable.  For  example,  the  basic  system 
(with  bum-in)  has  a 500-hour  reliability  of  0.986892,  whereas  the  addition  of 
one  redundant  processing  and  output  channel  increases  the  reliability  to  0.999766. 
At  the  same  time,  the  component  cost  increases  from  $3.55  to  only  $4.90. 
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The  low  cost  of  providing  redundancy  is  inherent  in  the  MOS  process „ Integrated 
circuit  costs  tend  to  vary  according  to  the  linear  dimensions  of  the  chip, 
whereas  the  device  count  increases  as  the  square  of  the  linear  dimensions.  This 
advantage  is  obtained  subject  to  a restriction  on  maximum  chip  size.  Fortunately, 
the  level  of  complexity  involved  in  the  processor  permits  redundancy  on  a single 
‘chip.  The  same  advantage  applies  to  the  bipolar  circuitry;  however,  the  propor- 
tion of  total  cost  in  the  latter  is  small  and  the  effect  on  cost  negligible  in 
any  case. 

SELF-TESTING 

The  advantages  of  the  MOS  integrated  circuit  with  regard  to  built-in  redundancy 
also  apply  to  the  incorporation  of  self -checking  routines,  and  the  improvement 
in  reliability  is  similarly  quite  significant.  If  the  self -checking  occurs  each 
time  the  engine  is  started,  the  MOS  reliability  for  extended  periods  is  essentially 
that  for  a single  engine  start-stop  cycle  (assuming  that  failure  indication  is 
heeded  and  replacement  made).  The  entire  system  reliability  then  becomes  that  of 
the  output  switch,  which  is  not  so  readily  self -tested. 

COSTS 

The  active  component  cost  of  the  least  reliable  system  (no  redundancy  or  burn-in) 
is  $3.25,  as  compared  to  $4.90.  for  the  most  reliable  system  (based  on  100,000 
pieces/year).  The  packaging  and  interconnection  costs  are  essentially  identical, 
so  that  the  relative  cost  of  redundancy  becomes  even  less  significant.  When  the 
costs  of  the  radar  unit  and  the  restraint  mechanism  itself  are  considered,  it 
becomes  obvious  that  there  is  a strong  case  for  considering  the  high  reliability 
system  as  the  primary  means  of  implementation. 

FAILURE  RATE  PREDICTION 

The  reliability  figures  and  failure  rates  developed  in  the  report  can  be  placed 
in  perspective  if  applied  to  the  total  vehicle-hour  usage  in  the  United  States 
during  a one -year  period,  and  if  compared  with  accident  statistics . 


The  analysis  presented  in  Section  4 for  the  redundant  processor  system  predicts 
reliability  in  excess  of  0. 999999  for  500  hours  (one  year  of  vehicle  operation) 
for  failure  modes  resulting  in  unwarranted  deployment.  Thus,  less  than  one 
vehicle  per  million  per  year  will  experience  such  a failure,  and  the  total  for 

100.000. 000  U.S.  vehicles  will  be  less  than  100.  It  is  likely  that  a higher 
number  of  unwarranted  deployments  will  result  from  other  causes,  such  as  shorts 

in  wiring  harnesses  and  failure  to  properly  maintain  equipment.  With  sel f -checking 
and  failure  indication  upon  engine  starting,  the  number  of  such  failures  becomes 
vanishingly  small. 

The  reliability  for  failure  modes  resulting  in  failure  to  deploy  is  somewhat 
lower  (0.9998).  In  this  case,  20,000  vehicles  per  year  may  experience  potential 
failure  to  deploy,  but  only  a small  percentage  of  these  will  be  placed  in  a situa- 
tion where  deployment  is  necessary.  Again,  failure  of  external  connections  is 
likely  to  be  the  overriding  cause  of  trouble,  and  the  use  of  self -checking  and  fail- 
ure indication  reduces  processor  system  failures  to  negligible  proportions. 

When  the  above  figures  are  contrasted  with  the  U.S.  toll  of  50,000  deaths, 

2.000. 000  injuries,  and  25,000,000  reportable  accidents  per  year,  it  becomes 
evident  that  the  proposed  system  represents  a potential  saving  in  both  absolute 
dollars  and  in  the  human  cost  of  accidents,  which  far  outweighs  the  cost  of  its 
installation . 
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APPENDIX  A 


Failure  Mode  and  Effect  Analysis  (FMEA)  Tables 


AMPLIFIER  - Differential  amplifier  with  current  sources  followed  by  2 Sages  of  amplification  (single  ended)  & feedback  from  last  stage 
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AMPLIFIER  (continued)  Pate  2 of  2 
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j CLOCK  DRIVER  (2-Phase)  - Provides  all  clock  functions  In  the  system. 
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CLOCK  OSCILLATOR  - Supply  timing  for  Byatem,  2-phaae  clock,  all  frequency  decisions 
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COMPARATORS  (2)  - Compares  initial  Input  signal  with  subsequent  cycle  Inputs.  Comp-1:  Subsequent  cycles  Comp-2:  Initial  Input  cycle 
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DECODER  - Internal  timing  of  generatingTa  signal 
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DECODER  (continued) 
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•DEPLOY  SWITCH  4.  PULSE  GENERATOR  - a)  Pulse  Generator;  b)  Trigger  Cate 

^Lilul3e_Gener3tor  - 1)  Turns  current  section  on  for  output.  2)  Insures  no  Power  until  system  stabilizes.  3)  D 
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a)Pulae  Generator  (continued) 
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DIFFERENTIAL  COMPARATOR  (1-Volt  Threshold)-  Establishes  signal  threshold. 
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FAILURE 

CLASSIF. 
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X X 

X X 
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X 

X X 

X X [ X X 
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X 

X 

X 

X 

X 

X 

- 
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CO 
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Depends  on  Bal.  of 
Ampl.  output  to  ref- 
erence. Could  put  a 
check  device  to  deter- 
mine If  system  moves 
to  sensitive  area. 
System  could  be  shut 
down,  etc. 

APPOR- 
TIONED 
FAIL.  RATE 
(FAQ8  HRS.) 

. 02983450 
. 00331495 

. 02984507 
.00331495 

. 02983450 
. 00331495 

. 02983456 
. 00331495 
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. 00331495 

. 02983456 
. 00331495 

. 02983456 
. 00331495 

EFFECT  OF  FAILURE  ON 

SYSTEM 

Could  make  system 
abnormally  sensitive, 
nonsensitive  opera- 
tion lockup. 

Won't  operate. 

Won't  operate. 
Won't  operate 

Won't  operate 
Won't  operate 

Won't  operate 
Won't  operate 

Won't  operate 
Won't  operate 

Won't  operate 
Won't  operate 

Won't  operate 
Won't  operate 

Won't  operate 
Won't  operate 

Won't  operate 
Won't  operate 

Won't  operate 
Won't  operate 

FUNCTION  AREA 

Comparator 

Sensitivity 

No  input  signal 

Lose  input  signal 

Lose  ref.  on  comp- 
arator 

Lock  Comparator 

Lock-up 

Lock-up 

Lock-up 

Lock-up 

Lock-up 

Lock-up 

Lock-up 

Lock-up 

Lock-up 

Lock-up 

Lock-up 

Lock-up 

Lock-up 

Lock-up 

Lock-up 

Lock-up 

FAILURE 

MECHANISM 
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Ion  migration 
Electromigration 
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MODE 

Short 

Open 

Short 

Open 

Short 

Open 

Short 

Open 

Short 

Open 

Short 

Open 

Short 

Open 

Short 

Open 

Short 

Open 

Short 

Open 

FUNCTION 

Input  Coupling 
Capacitor 

Comparator  bias 
voltage  resistor 

Current  Source 

The  Comparator 

Load 

The  Comparator 

2nd  Stage 

2nd  Stage  Load 

3rd  Stage 

3rd  Stage  Load 

NAME  & CODE 

C4 

R44 

Q17 

Q18 

Q19 

Q20 

Q21 

CM 

CM 
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Q23 

Q24 
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DIFFERENTIAL  COMPARATOR  (continued) 


DIGITAL  DIFK  — provide  signal  compatibility  between  analog  and  digital  processor  logic. 
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INTERNAL,  CONTROL  - Clear,  preset  & enable  all  Internal  flip-flops,  counters,  registers  & eubroutlnes  as  directed  by  the  master  program 
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POWER  ON  DETECTOR  - 'Initialize  all  functions  and  constrain  all  operations  until  peculator  comes  up  to  speed 
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PROGRAM  dA!TE5'-  Tfell  Oifr-flOp*  wh^rt  to  change  state  as  a function  of  data  and  other  fllp-flopa 
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PROGRAM  STATE  FLIP-FLOPS  - Define  BtateB  and  state  flow  diagram;  Identifies  what  atato  the  program  la  In  and  where  to  go  next 
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' SUBROUTINE  CONTROL  r ContrpI  for  subroutine  control. 
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SYSTEM 

Lock-up 

No  apparent  effect 

Lock-up 

No  apparent  effect 

FUNCTION  AREA 

X at  wrong  time 
No  X 

X at  wrong  time 
No  X 

FAILURE 

MECHANISM 

i 

| FAILURE 
MODE 

Stuck  high 
Stuck  low 

Stuck  high 
Stuck  low 

FUNCTION 

2 comparators  input 

i 

[ Takes  2 time  signals 
i from  the  comparators 
and  produces  an  X 
, output  to  the  program 

NAME  «.  CODE 

J-K  flip-flop 

1 

i 

i 

Complex  gate 
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VOLTAGE  REGULATOR  - Provides  separate  voltage  regulation  for  i>)  clock  and  b)  comparator  and  amplifier 
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CYCLE  COUNT  ACCUMULATOR  (5  bit)  - 1)  Determines  how  many  cycles  have  accumulated  and  2)  counts  number  of  Input  cycles  since  inijtlal  cycle 
Represented  in  binary  form;  When  this  registers  8 cycles,  an  output  pulse  Is  introduced,  and  when  compared  to  long  count  of  12-bit  counfer.thls  classifies  frequency 
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5-BIT  REGISTER  - Stores  signal  Ta  from  12-bit  counter;  provides  signal  Ta  information  to  the  compare  function. 
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fine  tuning  of  frequency  Input  analysis 


7-BIT  DECODER  - Part  of  the  system  to  detect  failure  of  Ta  signal  and  fine  tuning  of  frequency  Input. 
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12-BIT  COUNTER  - Provide f>  time  period  Information  to  be  used  for  frequency  classification. 
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Protects  MOS  system  from  large  voltage  spikes. 
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HIGH  POWER  SWITCH  (Current  Driver)  - High  current  switching  deploy  signal. 
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APPENDIX  B 


REPORT  OF  INVENTIONS 


After  a diligent  review  of  the  work  performed  under  this  contract 
no  new  innovation,  discovery,  improvement  or  invention  was  made. 
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